Parked domains are basically domain names currently not in use, meaning, there is no actual web site related to the domain. Domain parking happens when an entity buys a domain name, but does not have a web site ready yet (can also be a form of typo-squatting).

In this case, the domain name owner can contact a domain parking company that will use his domain name to serve advertisement. The domain name owner is paid according to the number of visits in the parked domain. Recently, ScanSafe discovered several parked domains that not only serve advertisements, but also malware! The malicious file, it seems, is downloaded from the domain smalltool.net. The downloaded file, setup.exe, seems to be target German users, based on the fake EULA shown by the file when executed.

Setup.exe then installs cchost.exe on the C:Program Filescchost folder, together with the “uninstall” file unins000.exe and the data file unins000.dat. When unins000.exe is executed, it deletes itself and unins000.dat, but leaves the cchost.exe behind.

All files mentioned are detected as TROJ_SMALL.ITG. Cchost.exe is the main malware file that connects to smalltool.net to retrieve commands. A description by Kaspersky reveals that smalltool.net is a spam domain, serving e-mail addresses and spam messages to machines infected by TROJ_SMALL.ITG, effectively making them spam zombies. As of writing, smalltool.net is not yet giving commands to cchost.exe to spam. Maybe it’s just waiting for the right time?